The ACL2 Proof Assistant Formal Methods Jeremy Johnson

Topics  ACL2 as a specification language  Reasoning about ACL2 programs  Equational reasoning  Induction and recursion  ACL2 as a logic  ACL2 axioms  Definitional axioms and input contracts  Induction principle  ACL2 as a theorem prover

Sorting  Given a list L = (L 1 … L n ) of elements from a totally ordered set (e.g. rationals with ≤) return a list M = (M 1 … M n ) such that  (sorted M), i.e. M 1 ≤ M 2 ≤    ≤ M n  M = (permutation L), i.e. M i = L  (i) where  is a bijection from {1,…,n} to {1,…,n}

sortedp  Predicate to test to see if a list is sorted  Should check to see that L is a list of rationals  (x 1 x 2 … x n ) with x 1 ≤ x 2 ≤    ≤ x n  x i ≤ x i+1 for 1 ≤ i < n   i x i ≤ x i+1  1 ≤ i  i < n (defun sortedp (L) (cond ((equal L nil) t) ((equal (length L) 1) t) ((and (<= (first L) (second L)) (sortedp (rest L))))))

Correctness of sortedp  L = (x 1 x 2 … x n )  By induction on len(L)  Base cases L nil or of length 1  Show x i ≤ x i+1 for 1 ≤ i < n  x 1 ≤ x 2 and by induction x i ≤ x i+1 for 2 ≤ i < n

Insertion Sort ; input. L is a list of integers ; output is a sorted list of integers whose elements are the same as in L. (defun insertionsort (L) (if (equal L nil) nil (insert (first L) (insertionsort (rest L))))) ; inputs x is an integer and L is a list of rationals that is sorted ; output is a sorted list of integers. (defun insert (x L) (cond ((equal L nil) (list x)) ((<= x (first L)) (cons x L)) ((cons (first L) (insert x (rest L))))))

Testing of Insertion Sort (check= (insert 1 nil) '(1)) (check= (insert 4 '(1 2 3)) '( )) (check= (insert 0 '(1 2 3)) '( )) (check= (insert 2 '(1 3)) '(1 2 3)) (check= (sortedp (insert 2 '(1 3))) t) (check= (insertionsort '(3 2 1)) '(1 2 3)) (check= (sortedp (insertionsort '( ))) t)

Correctness of insertionsort L = (L 1 … L n ) 1.(insertionsort L) terminates and returns a list 2.(insertionsort L) is sorted 3.(insertionsort L) is a permutation of L Proof by induction on n 1.For n  0, recursive call with smaller n 2.Recursive call produces a sorted list of (rest L) by induction and (insert (first L) (insertionsort (rest L))) returns a sorted list (by induction) 3.Recursive call returns a permutation of (rest L) and insert returns a list containing (first L) and elements of (rest L)

Formal Correctness Proof (defthm insert-sortedp (implies (sortedp L) (sortedp (insert x L)))) (defthm insertion-sort-is-sorted (sortedp (insertion-sort L))) (defthm insert-perm-cons (implies (perm L P) (perm (insert x L) (cons x P)))) (thm (perm (insertion-sort L) L))

Insertion Sort (defunc insertion-sort (L) :input-contract (list-rationalp L) :output-contract (and (list-rationalp (insertion-sort L)) (sortedp (insertion-sort L)) (perm (insertion-sort L) L)) (if (equal L nil) nil (insert (first L) (insertion-sort (rest L)))) )

insert (defunc insert (x L) :input-contract (and (rationalp x) (list-rationalp L) (sortedp L)) :output-contract (and (list-rationalp (insert x L)) (sortedp (insert x L)) (perm (insert x L) (cons x L))) (cond ( (equal L nil) (list x) ) ( (<= x (first L)) (cons x L) ) ( (cons (first L) (insert x (rest L))) ) )

sortedp (defunc sortedp (x) :input-contract (list-rationalp x) :output-contract (booleanp (sortedp x)) (cond ( (equal x nil) t ) ( (equal (len x) 1) t ) ( t (and (<= (first x) (second x)) (sortedp (rest x))) ) )

list-rationalp (defunc list-rationalp (x) :input-contract t :output-contract (booleanp (list-rationalp x)) (cond ( (equal x nil) t) ( (consp x) (and (rationalp (first x)) (list-rationalp (rest x))) ) ( t nil) )

list-rationalp (defunc sortedp (x) :input-contract (list-rationalp x) :output-contract (booleanp (sortedp x)) (cond ( (equal x nil) t ) ( (equal (len x) 1) t ) ( t (and (<= (first x) (second x)) (sortedp (rest x))) ) )

perm (defunc perm (L P) :input-contract (and (list-rationalp L) (list-rationalp P)) :output-contract (booleanp (perm L P)) (cond ( (equal L nil) (equal P nil) ) ( t (and (in (first L) P) (perm (rest L) (del (first L) P))) ) )

in (defunc in (x L) :input-contract (and (rationalp x) (list-rationalp L)) :output-contract (booleanp (in x L)) (cond ( (equal L nil) nil ) ( (equal x (first L)) t ) ( t (in x (rest L)) ) )

del (defunc del (x L) :input-contract (and (rationalp x) (list-rationalp L)) :output-contract (list-rationalp (del x L)) (cond ( (equal L nil) nil ) ( (equal x (first L)) (rest L) ) ( t (cons (first L) (del x (rest L))) ) )

How was ACL2 able to do this?  Proofs use formal reasoning  Axioms for built-in functions (consp, if, equal)  Every time we define a function that ACL2s admits, we also get a definitional axiom  an axiom stating that the function is equal to its body. I.E. Replace a function call by its body substituting the formal parameters with the arguments  Reason using properties of first order logic  Equational reasoning  Well founded induction

Example  Reason about the following functions (defunc len (x) :input-contract t :output-contract (natp (len x)) (if (atom x) 0 (+ 1 (len (rest x)))))

Example (defunc atom (x) :input-contract t :output-contract (booleanp (atom x)) (not (consp x))) (defunc not (a) :input-contract (booleanp a) :output-contract (booleanp (not a)) (if a nil t))

Example Theorem: (equal (len (cons x (list z))) 2)  (len (cons x (list z)))  (if (atom (cons x (list z))) 0 (+ 1 (len (rest (cons x (list z)))))) {def of len}  (if (atom (cons x (list z))) 0 (+ 1 (len (list z)))) {first-rest axiom}  (if (not (consp (cons x (list z)))) 0 (+ 1 (len (list z)))) {def of atom}

Example Continued  (if (if (consp (cons x (list z))) nil t) 0 (+ 1 (len (list z)))) {def of not}  (if (if t nil t) 0 (+ 1 (len (list z)))) {consp axiom}  (if nil 0 (+ 1 (len (list z)))) {if axiom}  (+ 1 (len (list z))) {if axiom}  (+ 1 (len (cons z nil))) {expand list macro}  …  (+ 1 1) = 2  (equal 2 2) = t

Example Proof Conjecture: (equal (len (cons x (list z))) (len (cons y (list z))))  The previous theorem showed (len (cons x (list z))) = 2  Similar reasoning shows (len (cons y (list z))) = 2  Alternatively we can substitute x=y in the theorem to obtain (len (cons y (list z))) = 2

Counter Example  Same type of reasoning can be use to prove conjectures false  Conjecture: (equal (len (list x)) (len x))  (equal (len (list nil)) (len nil))  Compute (len nil) and (len (list nil)) and compare

Counter Example  (len nil)  (if (atom nil) 0 (+ 1 (len (rest nil))))) [def of len]  (if t 0 (+ 1 (len (rest nil))))) [def of atom]  0 [if axiom]  (len (list nil))  (if (atom (list nil)) 0 (+ 1 (len (rest (list nil)))))) [def of len]  (if nil 0 (+ 1 (len (rest nil))))) [def of atom]  (+ 1 (len (rest nil)))) [if axiom]

Counter Example  (len (list nil))  (if (atom (list nil)) 0 (+ 1 (len (rest (list nil)))))) [def of len]  (if nil 0 (+ 1 (len (rest (list nil))))) [def of atom]  (+ 1 (len (rest (list nil))))) [if axiom]  (+ 1 (len nil)) [first-rest axiom]  (+ 1 0) [previous calculation]  1  0

List Processing  Recursive Definition  List := nil | (cons All List)  List := nil (cons Type List )  Process lists using these two cases and use recursion to recursively process lists in cons  Use first and rest to access components of cons  Size is the number of conses (generally number of constructors)  Prove properties by inducting on size – assume property holds for smaller size objects and show that this implies it holds for object at hand 27

Append (defun append (x y) (if (equal x nil) y (cons (first x) (append (rest x) y))))  Properties 1.(append x nil) = x 2.(length (append x y)) = (+ (length x) (length y)) 3.(append x (append y z)) = (append (append x y) z) 28

Structural Induction  When using induction on recursively defined data structures like lists you can induct on the size of the data structure = to the number of calls to the constructors.  When trying to show a property for a data structure of a given size, you can assume that the property holds when making a recursive call on a smaller data structure. You must make sure that the property holds for all constructors including base cases.  With lists (rest …) will return a smaller data structure (at least one fewer cons)  Structural induction allows you to induct on the recursive data structure without being explicit about the size provided the IH is applied to smaller objects.

Proof of Property 1  Show (append x nil) = x using structural induction  Base case. x = nil. In this case, (append nil nil) returns nil = x.  By induction assume recursive call satisfies the property [note (rest x) is smaller than x]  I.E. (append (rest x) nil) = (rest x)  Thus (append x nil) returns (cons (first x) (rest x)) = x

Proof of Property 2  Show (length (append x y) = (+ (length x) (length y)) using structural induction on x  Base case. x = nil. (append nil y) = y and (length y) = (+ (length nil) (length y))  By induction assume recursive call satisfies the property  (length (append (rest x) y) = (+ (length (rest x)) (length y))  Thus (length (append x y)) = (length (cons (first x) (append (rest x) y)) = (+ 1 (length (rest x)) + (length y)) = (+ (length x) (length y))

Proof of Property 3  Show (append x (append y z)) = (append (append x y) z)  Base case. x = nil. (append nil (append y z)) = (append y z) = (append (append nil y) z)  Assume property holds for (rest x)  (append (append x y) z)  (append (cons (first x) (append (rest x) y)) z) [by def]  (cons (first x) (append (append (rest x) y) z)) [by def]  (cons (first x) (append (rest x) (append y z))) [by IH]  (append (cons (first x) (rest x)) (append y z)) [by def]  (append x (append y z)) [by property of cons]

Logical Axioms  Propositional Axiom Schema: (    )  Expansion: derive (  1   2 ) from  2  Contraction: derive  from (    )  Associativity: derive (  1   2 )   3 from  1  (  2   3 )  Cut: derive (  2   3 ) from (  1   2 )  (  1   3 )   -Introduction: If x not free in B then derive  x A  B from A  B

Instantiation  Derive  |  from . That is, if  is a theorem and  is a substitution, then by instantiation,  |  is a theorem.  Substitution ((var 1 term 1 )... (var n term n ))  Example. From the theorem  (equal (first (cons x y)) x) We can derive  (equal (first (cons (foo x) (bar z))) (foo x))

Equality  Reflexivity Axiom: x=x  Equality Axiom: [(x 1 = y 1 ∧ x 2 = y 2 )]  [(x 1 = x 2 )  (y 1 = y 2 )]  Implies = is an equivalence relation  Reflexive x = x  Symmetric x = y  y = x  Transitive x = y  y = z  x = z  Equality Axiom Schema for Functions  (x 1 = y 1 ∧  ∧ x n = y n ) ⇒ (f x 1  x n ) = (f y 1  y n )

Sound and Complete  Allows use of classic results (derived rules) from logic  Propositional tautology  Case analysis  Derive  from (  1    n ) and  i    Substitution of equals for equals  If  1 =  2 then in any formula  we may replace  1 by  2 in   Deduction law  May assume hypotheses of formula as givens while trying to prove conclusion

Proof of Soundness and Completeness  Show equivalent to natural deduction  Derive  2 from  1 and  1   2 1.  1 Given 2.  1   2 Given 3.  2   1 Expansion 1 4.  1   2 Commutativity of  [must show] 5.  2   2 Cut 4,2 6.  2 Contraction 5

Axioms of ACL2  x = nil ⇒ (if x y z) = z  x  nil ⇒ (if x y z) = y  x = y ⇒ (equal x y) = t  x  y ⇒ (equal x y) = nil  (equal (first (rest x y)) x)  nil  t  nil  (equal x y) = t  x = y  (equal x y) = nil  x  y  (first (cons x y)) = x

Propositional Functions  (not p) = (if p nil t)  (or p q) = (if p t (if q t nil))  (and p q) = (if p (if q t nil) nil)  (implies p q) = (if p (if q t nil) t)  (iff p q) = (if p (if q t nil) (if q nil t))  (not p)   (p  nil)  (or p q)  (p  nil)  (q  nil)  (and p q)  (p  nil)  (q  nil)  (implies p q)  (p  nil)  (q  nil)

Remaining Axioms  (rest (cons x y)) = y  (consp (cons x y)) = t  Axiomatize other data types  symbol, number, characters, strings  (implies (consp x) (not (symbolp x)) [disjoint]  Derive (consp nil) = nil  Axioms from arithmetic – rationals are an ordered field for constants 0, 1 and +,-,*,/, and <

Definition of Append (defunc app (a b) :input-contract (and (listp a) (listp b)) :output-contract (and (listp (app a b)) (equal (len (app a b)) (+ (len a) (len b)))) (if (endp a) b (cons (first a) (app (rest a) b))))

Necessary Functions (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (consp l) (listp (rest l)) (equal l ()))) (defunc endp (a) :input-contract (listp a) :output-contract (booleanp (endp a)) (equal a nil))

Proving Properties  Associativity of app  (app x (app y z)) = (app (app x y) z)  Definitional axiom  Input contracts and context  Formal reasoning needed for induction  Base Case when x = nil  (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z))  General case assuming inductive hypothesis  (listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))

Definitional Axiom (listp a) ∧ (listp b) ⇒ (app a b) = (if (endp a) b (cons (first a) (app (rest a) b))) Can’t expand body unless (listp a) and (listp b) In general every time we “successfully admit a function” we get an axiom: ic ⇒ (f x 1... x n ) = body Can’t expand body unless ic is satisfied.

Application of Append Theorem [CA]: (listp y)  (listp z)  (app (cons x y) z) = (cons x (app y z))  (app (cons x y) z)  (if (endp (cons x y)) z (cons (first (cons x y)) (app (rest (cons x y)) z))) [def of app and inst]  (if nil z (cons (first (cons x y)) (app (rest (cons x y)) z))) [def of endp and consp axiom]  (cons (first (cons x y)) (app (rest (cons x y)) z)) [if axiom]  (cons x (app y z)) [axioms for first and rest]

Base Case  Theorem: (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z))

Conjecture Contract Checking  Make sure all hypotheses are present in your conjectures  Conjecture: (endp x) ⇒ (app (app x y) z) = (app x (app y z))  Taking into account all input contracts  Conjecture: (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z))

Context  Conjecture: (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z))  (implies (and (endp x) (listp x) (listp y) (listp z)) (iff (app (app x y) z) (app x (app y z))  hyp 1 ∧ hyp 2 ∧  ∧ hyp n ⇒ conc  Context = {hyp 1, hyp 2,…, hyp n }  Context of conjecture = {(endp x), (listp x), (listp y), (listp z)}

Implications of Context Conjecture: (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z)) C1. (endp x) C2. (listp x) C3. (listp y) C4. (listp z) C5. x = nil {C1, C2}

Testing Conjecture (let ((x nil) (y nil) (z nil)) (implies (and (endp x) (listp x) (listp y) (listp z)) (equal (app (app x y) z) (app x (app y z)))))

Testing Conjecture (test? (implies (and (endp x) (listp x) (listp y) (listp z)) (equal (app (app x y) z) (app x (app y z)))))

Proof of Conjecture Theorem: (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z)) C1. (endp x) C2. (listp x) C3. (listp y) C4. (listp z) C5. x = nil {C1, C2} (app (app x y) z) (app y z) [def of app, def of endp, C5, if axiom] (app x (app y z) ) [def of app, def of endp, C5, if axiom]

General Case  Theorem. [(consp x)  (listp x) ∧ (listp y) ∧ (listp z)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]] ⇒ (app (app x y) z) = (app x (app y z))

Rearranging Contexts (consp x) ⇒ [[(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))] ⇒ [(listp x) ∧ (listp y) ∧ (listp z) ⇒ (app (app x y) z) = (app x (app y z))]]  [(consp x)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))] ⇒ [(listp x) ∧ (listp y) ∧ (listp z) ⇒ (app (app x y) z) = (app x (app y z))]]

Rearranging Contexts [(consp x)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))] ⇒ [(listp x) ∧ (listp y) ∧ (listp z) ⇒ (app (app x y) z) = (app x (app y z))]]  [(consp x)  (listp x) ∧ (listp y) ∧ (listp z)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]] ⇒ (app (app x y) z) = (app x (app y z))

Context of Conjecture Conjecture: (app (app x y) z) = (app x (app y z)) C1. (consp x) C2. (listp x) C3. (listp y) C4. (listp z) C5. [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]

Extending Context C1. (consp x) C2. (listp x) C3. (listp y) C4. (listp z) C5. [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))] C6. (listp (rest x)) [C1, C2, def of listp] C7. (app (app (rest x) y) z) = (app (rest x) (app y z)) [C6, C3, C4, C5, MP]

Proof of Theorem  Theorem. [(consp x)  (listp x) ∧ (listp y) ∧ (listp z)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]] ⇒ (app (app x y) z) = (app x (app y z)) Proof  (app (app x y) z)  (app (cons (first x) (app (rest x) y)) z) [def app, C1, C2, C3]  (cons (first x) (app (app (rest x) y) z)) [Thm CA,C3,C4,C6]  (cons (first x) (app (rest x) (app y z))) [C7]  (app x (app y z))) [def app, C1, C2, C3, C4]

Induction Scheme  Base Case  (endp x)  (listp x)  (listp y)  (listp z) ⇒ (app (app x y) z) = (app x (app y z))  Induction Step  [(consp x)  (listp x) ∧ (listp y) ∧ (listp z)  [(listp (rest x)) ∧ (listp y) ∧ (listp z) ⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]] ⇒ (app (app x y) z) = (app x (app y z))  Conclude (assuming termination)  (app (app x y) z) = (app x (app y z))

Induction in ACL2 ACL2 >QUERY (thm (implies (and (true-listp x) (true-listp y) (true-listp z)) (equal (app (app x y) z) (app x (app y z))))) > ^^^ Checkpoint Goal ^^^ *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. Perhaps we can prove *1 by induction. Five induction schemes are suggested by this conjecture. These merge into three derived induction schemes. However, two of these are flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP-INDUCTION- SCHEME, APP-INDUCTION-SCHEME-FROM-DEFINITION and TRUE-LISTP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (AND (TRUE-LISTP X) (TRUE-LISTP Y))) (:P X Y Z)) (IMPLIES (AND (AND (TRUE-LISTP X) (TRUE-LISTP Y)) (NOT (ENDP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (AND (AND (TRUE-LISTP X) (TRUE-LISTP Y)) (ENDP X)) (:P X Y Z))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. ^^^ Checkpoint *1 ^^^ Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( THM...) Rules: ((:DEFINITION APP-DEFINITION-RULE) (:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP-INDUCTION-SCHEME) (:INDUCTION APP-INDUCTION-SCHEME-FROM-DEFINITION) (:INDUCTION TRUE-LISTP) (:REWRITE APP-CONTRACT) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE LIST::TRUE-LISTP-OF-CONS) (:REWRITE LIST::TRUE-LISTP-OF-NON-CONSP)) Time: 0.37 seconds (prove: 0.19, print: 0.00, proof tree: 0.03, other: 0.16) Prover steps counted: Proof succeeded.

Induction in ACL2 We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP-INDUCTION- SCHEME, APP-INDUCTION-SCHEME-FROM-DEFINITION and TRUE-LISTP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (AND (TRUE-LISTP X) (TRUE-LISTP Y))) (:P X Y Z)) (IMPLIES (AND (AND (TRUE-LISTP X) (TRUE-LISTP Y)) (NOT (ENDP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (AND (AND (TRUE-LISTP X) (TRUE-LISTP Y)) (ENDP X)) (:P X Y Z))).

Induction in ACL2 This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. ^^^ Checkpoint *1 ^^^ Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D.

Induction in ACL2 Summary Form: ( THM...) Rules: ((:DEFINITION APP-DEFINITION-RULE) (:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP-INDUCTION-SCHEME) (:INDUCTION APP-INDUCTION-SCHEME-FROM-DEFINITION) (:INDUCTION TRUE-LISTP) (:REWRITE APP-CONTRACT) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE LIST::TRUE-LISTP-OF-CONS) (:REWRITE LIST::TRUE-LISTP-OF-NON-CONSP)) Time: 0.37 seconds (prove: 0.19, print: 0.00, proof tree: 0.03, other: 0.16) Prover steps counted: Proof succeeded.

Exercise (defun reverse (l) (if (equal l nil) nil (append (reverse (rest l)) (cons (first l) nil))))  Prove the following properties using induction  (length (reverse x)) = (length x)  (reverse (append x y)) = (append (reverse y) (reverse x))  (reverse (reverse x)) = x  Prove these properties using ACL2 64